Technical Tip: Configure and diagnostic commands to check the status of the SD-WAN link

Description

This article describes how to configure and check some diagnostic commands that help to check the SD-WAN routes and status of the links.

Scope

FortiGate.

Solution

Configure the two WAN interfaces as members of an SD-WAN configuration.

 

Create a static default route pointed to the SD-WAN.

 

 

SD-WAN rule: ensure both WAN INTERFACES and the performance SLA PING are also configured in this section so that the performance SLA will dictate which ISP is the best link for each kind of traffic.

 

 

Diagnostic commands:

 

diagnose sys sdwan member
Member(1): interface: port2, gateway: 10.10.10.100, priority: 0, weight: 0
Member(2): interface: port3, gateway: 20.20.20.100, priority: 0, weight: 0

 

Run the following command to see all members on the SD-WAN link, as well as the priority and weight values for each link:

 

diagnose firewall proute list
list route policy info(vf=root):

id=2130837505 vwl_service=1(SDWAN-RULE-TEST) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=5 oif=4
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255

Run the following command to show which interface is the best choice for the performance SLA (in the example output below, '2' is the WAN2 interface while '1' is the WAN interface):

 

diagnose sys sdwan health-check PING
Health Check(PING):
Seq(1): state(alive), packet-loss(0.000%) latency(60.223), jitter(9.280) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(60.155), jitter(9.318) sla_map=0x0

Run the following command to show the performance SLA values for each link. Since the latency of WAN1 is higher than that of WAN2 in the example below, WAN2 is the priority route for the SD-WAN rule test under the diag firewall route list.

 

diagnose sys sdwan service  1

Service(1): Address Mode(IPV4) flags=0x0
  TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(packet-l
  Service role: standalone
  Member sub interface:
  Members:
    1: Seq_num(2), alive, packet loss: 0.000%, selected
    2: Seq_num(1), alive, packet loss: 0.000%, selected
  Src address:
        0.0.0.0-255.255.255.255
  Dst address:
        0.0.0.0-255.255.255.255       

 

In the above, the service value '1' is the SD-WAN rule ID of 'SD WAN RULE TEST'.

This command shows the preferred route taken by the SD-WAN rule.

The highest quality criterion chosen is 'PACKET LOSS'. Since no packet loss is detected on either WAN interface, the FortiGate SD-WAN rule selects both FortiGates as quality interfaces.

 

Run the following command to display a 10-minute usage history for each SD-WAN member:

 

diagnose sys sdwan intf-sla-log wan1

 

diagnose sys sdwan

member
service
route-tag-list
route-tag-flush
health-check
neighbor
log
sla-log
intf-sla-log
internet-service-app-ctrl-list
internet-service-app-ctrl-flush
internet-service-app-ctrl-category-list
reset
zone
route
route6

Notes:

• In v6.4 and below, the commands 'diagnose sys sdwan' are replaced with 'diagnose sys virtual-wan-link'.

• Starting from v7.4.4, the 'diagnose sys sdwan service' command is now divided into two separate commands for IPv4 and IPv6.

  • IPv4: 'diagnose sys sdwan service4'.

  • IPv6: 'diagnose sys sdwan service6'.

• Starting from v7.4.4, 'diagnose sys sdwan service4' and 'diagnose sys sdwan service6' no longer display the full list of IP addresses in the destination for rules that are using BGP route tag firewall address as destination.
• The 'diagnose sys sdwan route-tag-list' command needs to be used to verify the full list of IPs for the given route tag value.

Related articles: 

Technical Tip: How to configure source IP for Secure SD-WAN Performance SLA

Technical Tip: Different types of Health checks used in SD-WAN